xx

Welcome to Majorgeeks!
AVG is still freeware ....running your system without anti-virus software is a serious no-no.
Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

You haven't attached anything ...are you having problems doing so?

 

Please view this thread How to attach....

 

Try attaching only one log at a time and after it is attached. Edit the message and attach a second and then a third. Note the fourth log has to be in a second message.

 

Inline logs are too hard to read!!! They will be deleted since we cannot spend the time it takes to read them due to the formatting getting corrupted. Please put the logs you could not attach into a ZIP file and attach the ZIP file.

 

AVG Antispyware should have been run before not after GetRunKey, ShowNew or HJT.

 

You need to run the below procedure:

ChodeFix - How download and run

After running that, you must install and rename HijackThis exactly as request in step 7 of the READ ME!!

Then attach (if possible otherwise ZIP) new logs from GetRunKey and HJT.

 

Okay! Did you see message number 14? That is one of your main problems. You have a Chode infection and need to run that procedure and then try attach the new logs. I will more than likely have to make a special version of ChodeFix afterwards tailored for just you to complete the fixes.

 

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 8
My Global Search Bar

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment



Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - C:\WINDOWS\se_spoof.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O21 - SSODL: Vbamidat - {E456A969-8F2D-4F8F-8194-BA5B8549F827} - C:\WINDOWS\system32\bmpegdde.dll

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs (you should not need to ZIP them anymore) and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

Please attach the HijackThis log as requested and let us decide whether it is clean or not.

In the future, please remember to finish running GetRunKey by closing the popup notepad windows, before running ShowNew. This is mentioned in the READ & RUN ME.

Delete the below file:
C:\crtlsf.dll

At this point I'm expecting that any remaining issues your having are not due to malware and I may be sending you off to the Software Forum. However please run the below first and let me know if if helps to repair your internet connection:

XP TCP/IP Repair

 

Your HJT log is not clean and it even looks like you did not do what was requested in message # 18. Let's try again but the total procedure is slightly different since all files were deleted last time by Avenger.

Make sure when you run the below procedure that only one user account is logged in (i.e. do not use Switch User before or during) also make sure that no unnecessary process are running and when I request that browsers are closed you must make sure that you do close the browsers.

First goto Add/Remove programs and uninstall TrustIn Contextual


Run HijackThis and select Do a system scan only. Then select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpoofBHO Class - {F67EEB12-AB09-11DB-A6F1-260856D89593} - C:\WINDOWS\se_spoof.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O21 - SSODL: Vbamidat - {E456A969-8F2D-4F8F-8194-BA5B8549F827} - C:\WINDOWS\system32\bmpegdde.dll

After clicking Fix Checked, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Now run Ccleaner

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now! If you still get an error when trying to connect to the internet, youmust give exact word for word error messages. You never mentioned RAS 711 until your last message. This is more than likely not a malware issue but rather an issue within your OS. Are you using a dialup connection?